Pulse Secure has fixed multiple Critical and High risk vulnerabilities as part of 9.1R12 update for Pulse Connect Secure (PCS) system software.
An attacker could exploit these vulnerabilities to take control of an unpatched device.
As part of security advisory SA44858, Pulse Secure patched 2 Critical and 4 High severity PCS vulnerabilities (with severity CVSS score):
- CVE-2021-22937: File write vulnerability (Critical, CVSS 9.1)
- CVE-2021-22935: Command injection (Critical, CVSS 9.1)
- CVE-2021-22936: Cross-site scripting (High, CVSS 8.2)
- CVE-2021-22934: Buffer overflow (High, CVSS 8.0)
- CVE-2021-22938: Command injection (High, 7.9)
- CVE-2021-22933: Arbitrary file delete vulnerability (High, CVSS 9.6)
Network administrators are highly encouraged to upgrade their Pulse Secure devices as soon as possible to address these vulnerabilities.
Although the advisory did not call out any known exploits of these issues in the wild yet, many experts have been warning of attackers targeting Pulse Secure devices throughout the year.
In addition, Pulse Secure VPN device related vulnerabilities have been in the top lists of most common vulnerabilities exploited in 2020 and 2021.
- Alert: Threat actors continue to exploit patched Pulse Secure VPN devices
- Attackers continue to target unpatched Pulse Secure VPN systems
- Top most commonly exploited vulnerabilities over 2020 and 2021
- Threat actors breach South Korean atomic research institute via VPN vulnerability
- Another 3 Pulse Connect Secure Critical vulnerabilities discovered